It's 2017, and UPnP is helping black-hats run banking malware

The company's Avishay Zawoznik, Johnathan Azaria, and Igal Zeifman wrote that while some of the attack packets came from familiar UDP ports, others were randomised.

In trying to replicate the behaviour, the three researchers concluded that attackers were using UPnP on badly-secured devices like routers (turn it off, people), and tried to replicate the attack.

It's not particularly difficult, particularly with Shodan to help. The required steps are:

Discover targets on Shodan by searching for the rootDesc.xml file (Imperva found 1.3 million devices);

Use HTTP to access rootDesc.xml;

Modify the victim's port forwarding rules (the researchers noted that this isn't supposed to work, since port forwarding should be between internal and external addresses, but “few routers actually bother to verify that a provided 'internal IP' is actually internal, and [they abide] by all forwarding rules as a result”.

Launch the attack.

That means an attacker can create a port forwarding rule that spoofs a victim's IP address – so a bunch of ill-secured routers can be sent a DNS request which they'll try to return to the victim, in the classic redirection DDoS attack.

The port forwarding lets an attacker use “evasive ports”, “enabling them to bypass commonplace scrubbing directives that identify amplification payloads by looking for source port data for blacklisting”, the post explained.

The researchers noted that this style of attack isn't limited to reflecting DNS queries – late in April 2018, they observed a low-volume attack (probably probing) using Network Time Protocol responses over irregular ports.

The lesson is simple: sysadmins need to block UPnP from Internet-facing access; and vendors making consumer-grade devices need to make that block the device default. ®